Cyberattacks cost companies, on average, US$3.8 million, according to XL Catlin. But another massive hit – one that is more difficult to quantify in dollar value – is to a company’s reputation.
John Coletti, chief underwriting officer for cyber and technology at XL Catlin, said reputational harm from a cyber breach is a very real concern for companies. However, he added, consumer opinion about breaches has changed in recent times.
“Reputational losses are a big concern for our clients,” he noted. “They’re recognising pretty quickly that if they lose their clients’ data, they lose their clients’ confidence. Clients aren’t going to want to work with them if they can’t keep their data safe.
“Companies are concerned, and they want to do everything they can to safeguard data, and, if they don’t, they’re worried about the reputational loss associated with that.”
XL Catlin policies cover the cost of hiring a public relations firm to triage the situation, to try to minimise and manage the fallout from a breach, and to attempt to retain some consumer trust.
But while loss of trust is certainly an issue, corporate reputations do not seem to take as much of a hammering as one might expect, Coletti said.
There has been, he said, some “breach fatigue” among consumers.
“I think we, as consumers, have actually kind of gotten used to the fact that our information is going to be breached at some point – and I don’t think the reputational damage is as damaging as we [at XL Catlin] initially anticipated,” he explained.
“I think there’s a bit of breach fatigue. When the first [major headline-worthy] breaches occurred, like Target, it was very shocking … and everyone thought, individually, it was going to have more of an impact on them. Everyone was signing up for credit monitoring. Now, we get some of the stats after the more recent breaches on what percentage of people are following through and signing up for the credit monitoring, and it’s in the single digits.”
The breach notification costs are still expensive, for the insurer and the insured, and the forensics companies still rack up fees, but “it’s just not that shocking any more,” Coletti said. “It’s still damaging, it’s just not as shocking.”
Nevertheless, breach fatigue or not, companies are also better prepared to weather the attacks they face.
The companies who are most prepared, with the best security, and with the best crisis management protocols in place, are the companies that come out the other side from a breach incident the best, Coletti said.
“If you respond better, you’re less likely to be sued by regulators. We definitely have seen that, first hand,” he said. “And responding is really about preparation – knowing who is going to do what, who is involved, what is the CEO going to say. It really is a big deal, and we offer some services that help an insured prepare for a breach, not just respond to one.
“We have seen companies spending more money and dedicating more resources to their security systems. The technology has gotten better, [and] they’re better at segmenting their systems, about putting layers of security around their critical assets.”
Finally, too, it seems businesses are finally waking up to the fact that everyone is vulnerable to these attacks. The “it won’t happen to me” attitude seems to be finally shifting, and that is good for business in all senses, Coletti said.
“Companies have acknowledged the fact they will get breached,” he explained. “So it’s just about making the most critical assets the hardest ones to get at. And then, even if something does happen, they have plans in place to respond.”
Related stories:
Travelers looks at the ‘unusual’ pace of the cyber insurance market
Travelers outlines why it doesn't want to grow faster in cyber insurance